So I have a very simple login-form in html/php
login1.php
<?php include('settings.php'); ?>
<!DOCTYPE html>
<html>
<head>
<title>login</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<form id="form1" name="form1" method="post" action="<?=$basehttp;?>/login_auth1.php">
<input name="ahd_username" type="text" id="ahd_username" size="35" maxlength="255" />
<input name="ahd_password" type="password" id="ahd_password" size="35" maxlength="35" />
<input type="submit" name="Submit" value="Login" />
</form>
</body>
</html>
login_auth1.php
<?php
include('settings.php');
print_r($_POST);
print_r(getallheaders());
if(isset($_POST['ahd_username']) && isset($_POST['ahd_password'])){
//database queries and stuff, send user elsewhere if login correct
}
?>
<!DOCTYPE html>
<html>
<head>
<title>login</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<form id="form1" name="form1" method="post" action="<?=$basehttp;?>/login_auth1.php">
<input name="ahd_username" type="text" id="ahd_username" size="35" maxlength="255" />
<input name="ahd_password" type="password" id="ahd_password" size="35" maxlength="35" />
<input type="submit" name="Submit" value="Login" />
</form>
</body>
</html>
When running login1.php (in some) web browsers the POST in login_auth1.php will be empty. But when submiting the exact same form again from login_auth1.php it works just fine. What might be the cause of this error? How to debug further? FYI The server is running Varnish.
Link to output with headers for some calls can be found in this textfile.
Edit:
Have no hair left on my head now but I've figured out a way that "works". If I merge my loginfiles to a single file, put that file into a separate folder /login, removing the url in action tag completly (so it will be action="") and configure Varnish to
if (req.url ~ "/login"){
set req.backend = mybackend;
return (pass);
}
it will work. This feels like a really crappy "solution", especially the part with removing the string in the action tag but it's the only way that I've made it work. I've tried tons of different Varnish configurations, including return (pipe). Does anyone have any idea on how to get it to work properly? Or why this weird version above works?
A good and lasting practice, to replace your quick hack, is to not cache any post requests by:
if ( req.request == "POST" ) {
return (hit_for_pass);
}
Varnish' standard behaviour[1] (at least in 3.0, debian) is to pass POST request directly to backend:
sub vcl_recv {
#...
if (req.request != "GET" && req.request != "HEAD") {
/* We only deal with GET and HEAD by default */
return (pass);
}
#...
}
So if default code is not reached (you call return(xxx) in your vcl_recv) you should take care of this kind of requests in your own VCL code, returning a pass or either a hit_for_pass as suggested by Clarence.
[1] https://www.varnish-cache.org/docs/3.0/reference/vcl.html#examples
Related
So i have a file with PHP and HTML in it. The HTML works fine but when i enter the PHP it does not render anything for some reason. See code for beter refrence.
Also logs don't really say anything about the issue.
This fails to do anything
<?php
echo $_POST['naam'];
die();
?>
<!DOCTYPE html>
<html>
<head>
<title>Scouts Permeke</title>
<link rel="stylesheet" type="text/css" href="siteStyle.css">
</head>
<body>
<H2>Login</H2>
<form action="login.php" method="POST">
<input name="naam" type="text" id="naam" class="form-control" placeholder="Gebruikersnaam"/><br>
<input name="psw" type="password" id="psw" class="form-control" placeholder="Passwoord"/><br>
<button type="submit">Login</button>
</form>
</body>
</html>
But this shows my HTML as intended.
<!DOCTYPE html>
<html>
<head>
<title>Scouts Permeke</title>
<link rel="stylesheet" type="text/css" href="siteStyle.css">
</head>
<body>
<H2>Login</H2>
<form action="login.php" method="POST">
<input name="naam" type="text" id="naam" class="form-control" placeholder="Gebruikersnaam"/><br>
<input name="psw" type="password" id="psw" class="form-control" placeholder="Passwoord"/><br>
<button type="submit">Login</button>
</form>
</body>
</html>
You need to check if the variable is actually set, otherwise it will always print out the content of $_POST['naam'] without bothering if the user already inputted data and pressed the Submit-button.
if(isset($_POST['naam'])) {
echo $_POST['naam'];
die();
}
That is because it is ignoring an error as the $_POST array doesn't have the "naam" variable and your php.ini for display error is off. In php, if the array doesn't contain the key it will throw error and in this the error is ignored because of the production settings. Also, this is the reason why the "die();" line is not interpreted. Please check if php.ini has or commented
display_errors: Off
and make it into
display_errors: On
Restart apache to getting the settings work.
You can also remove/comment the first line of code in PHP tag and see if die() is working. Please do let us know if this fixed your error.
I'm trying to save cookie using img tag. I used img tag in thankyou.php and wrote cookie related code in pixel.php file.
These three files are in the same directory(Folder Name: landing).
Here is index.php file code.
<html>
<head>
<title></title>
</head>
<body>
<form action="thankyou.php" method="GET">
<input type="text" name="name" placeholder="Name" required />
<input type="email" name="email" placeholder="email" required />
<input type="submit" value="Subscribe" />
</form>
</body>
</html>
Here is thankyou.php file code.
<html>
<head>
<title></title>
</head>
<body>
<h3>You've successfully subscribed for this campaign.</h3>
<img alt="" width="1" height="1" style="display:none" src="pixel.php?e=<?= $_GET['email'] ?>&c=book_bonus_video_1" />
</body>
</html>
Here is pixel.php file code.
$sCampaign = # $_GET['c'];
$sCampaign = urldecode($sCampaign);
$sEmail = # $_GET['e'];
$sEmail = urldecode($sEmail);
setcookie('campaign_' . $sCampaign,strtolower($sEmail),time()+60*60*24*365,'/');
header('Content-Type: image/gif');
die(base64_decode('R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw=='));
When I submit form(index.php), thankyou.php page is opened but cookie is not created. But when i write URL ( http://www.example.com/landing/pixel.php?e=user#email.com&c=book_bonus_video_1 ) in browser it creates cookie.
I don't know where is issue in my code.
Thanks in advance for guiding me.
when the user input a name to a form. how to display the name to another webpage?
so i have 2 webpage here it is
webpage 1:
<html>
<body>
<form action="lol.php" method="post" <div id="name">
<label for="txtname">name: </label> <br/>
<input type="text" name="txtname" value="" /> </div>
</html>
webpage 2 :
<html>
<body>
<p> echo 'welcome! $_POST
</html>
huhuhu so whats next ? :( im kinda new to php please be gentle guys tnx
As an addition to the already existing answers: One very important thing to keep in mind is protection against Cross Site Scripting attacks. You must assume "All Input Is Evil!". Users might not only enter their name or something like that but also JavaScripts (XSS or even persistent XSS, if you save the inputs) or parts of SQL querys to perform an SQL injection.
Let's say your script accepts a variable called txtname from GET or POST (this is what $_REQUEST means). And you have this code:
<?php echo "Welcome!" .$_REQUEST['txtname']; ?>
One could build a link like this:
http://yourhost/yourscript.php?txtname=<script%20type="text/javascript">alert("This%20might%20also%20be%20an%20evil%20script!");</script>
Then one uses a URL shortening service to build a harmless looking link redirecting to the attacker's URL above, e.g.
http://short.xy/dfudf7
which will redirect the user to the evil JavaScript link above. Then your website will execute any JavaScript or embedd evil iframes or whatever an attacker wants. Your users / customers will only see your website in the address bar and will think all that comes from you although a hacker added malicious parts to the site they view.
Therefore, whenever you output something that comes directly or indirectly from a user input (regardless whether read by $_REQUEST or fetched from a database), you have to make sure, HTML special chars like < and > don't work any more! php offers the function htmlspecialchars to escape these dangerous characters. Then they are displayed just as text and do not function as HTML/JavaScript.
By the way, this is not a protection against SQL injections. If you plan to use a database later, you will also have to look for that. Also in this area there are functions to "demine" a user input before passing it to a database.
You are missing to close <form> tag, missing to add submit button, I have fixed your form and it should be like...
webpage.html
<form action="lol.php" method="post">
<div id="name">
<label for="txtname">name: </label> <br/>
<input type="text" name="txtname" value="" />
<input type="submit">
</div>
</form>
lol.php
<?php echo "Welcome!" .$_POST['txtname']; ?>
NOTE
You can also use $_REQUEST to print name..
<?php echo "Welcome!" .$_REQUEST['txtname']; ?>
Page : 1
<html>
<body>
<form action="lol.php" method="post" <div id="name">
<label for="txtname">name: </label> <br/>
<input type="text" name="txtname" value="" /> </div></form>
</html>
Page : 2
<?php
echo "Welcome ".$_POST['txtname'];
?>
You are missing to close <form> tag, missing to add submit button
webpage.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>webpage</title>
</head>
<body>
<form action="lol.php" method="post" name="form" id="form">
<div id="name">
<label for="txtname">name: </label>
<br/>
<input type="text" name="txtname" id="txtname" />
<input type="submit" name="submit" id="submit" value="Submit">
</div>
</form>
</body>
</html>
lol.php
<?php
if((isset($_REQUEST['submit']) && trim($_REQUEST['submit']) =='Submit'))
{
$txtname = addslashes(trim($_REQUEST['txtname']));
echo "Welcome ".$txtname;
}
?>
The problem goes as follows:
File 1 which has the name of: Lesson 17_Forms - Simple Form.php
and
File 2 which has the name of: Lesson 17_Forms - Process.php
The contents of file 1 are as follows:
<html>
<title>Lesson 17_Forms - Simple Form</title>
<head>
<center><h1>Lesson 17_Forms - Simple Form</h1></center>
</head>
<body>
<form action= "Lesson 17_Forms - Process.php" method="post">
Username: <input type="text" name="username" value="" />
<br />
Password: <input type="password" name="password" value="" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
The contents of file 2:
<html>
<title>Lesson 17_Forms - Process</title>
<head>
<center><h1>Lesson 17_Forms - Process</h1></center>
</head>
<body>
<?php
// Ultra-simple form processing
// Just retrieve the value and return it to the browser
$username = $_POST['username'];
$password = $_POST['password'];
echo "{$username}: {$password}";
?>
</body>
</html>
Both files are in the same directory, when i am trying to process the form by clicking the submit button, i am receiving the following error:
Object not found!
The requested URL was not found on this server. The link on the
referring page seems to be wrong or outdated. Please inform the author
of that page about the error.
If you think this is a server error, please contact the webmaster.
Error 404
localhost Sat 12 May 2012 02:40:39 PM EEST Apache/2.2.21 (Unix) DAV/2
mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1
mod_perl/2.0.5 Perl/v5.10.1
Any suggestions are greatly appreciated.
No spaces are allowed in url -> change the names to simple_form.php and process.php.
or if you want to keep spaces in name then replace all spaces by '%20' whenever you use it as a url.
Or the best option is to use urlencode -> it automatically replaces all non-allowed characters by their web acceptable placeholders.
<form action=<?php echo '"'.urlencode("Lesson 17_Forms - Process.php").'"'; ?> method="post">
Make sure you have both files on the same directory. Also, eliminate any spaces in file names, while valid, they will cause massive headaches. So name your files something more like: lesson17_forms_process.php.
Also, after some modifications, this is the code I get:
<?php
//Initialize variables
$fields_set = false;
$username = "";
$password = "";
//Validity check
if (isset($_POST['username']) && isset($_POST['password'])) {
$fields_set = true;
$username = $_POST["username"];
$password = $_POST["password"];
}
?>
<html>
<head>
<title>Lesson 17_Forms - Process</title>
</head>
<body>
<h1 style="text-align: center;">Lesson 17_Forms - Process</h1>
<?php
//Display results if validity passed, or error in case it didn't.
if ($fields_set) {
echo "{$username}: {$password}";
}
else {
echo "Error! username or password not set!";
}
?>
</body>
</html>
Some Points
I process all form data before I start sending HTML. Separate logic and display as much as possible.
I removed the h1 element from the head and placed it in the body (where it belongs). All page content must go in body.
I removed the presentational element <center> and replaced it with CSS.
I validate the input prior to processing.
I display an error in case the form is not valid.
I'll use your existing code, and modify it. With new file names.
I did also correct your HTML.
Create a file named: form.php, insert the code below:
<html>
<head>
<title>Submit form</title>
</head>
<body>
<center><h1>Submit form</h1></center>
<form action="process.php" method="post">
Username:<input type="text" name="username" value="" />
<br />
Password: <input type="password" name="password" value="" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
Create a file named: process.php, insert the code below:
<html>
<head>
<title>Your form</title>
</head>
<body>
<center><h1>Lesson 17_Forms - Process</h1></center>
<?php
// Ultra-simple form processing
// Just retrieve the value and return it to the browser
$username = $_POST['username'];
$password = $_POST['password'];
echo "{$username}: {$password}";
?>
</body>
</html>
That should work perfectly, remember to have both files in the same folder.
I'm building my first PHP website (attempting to, anyway!), and I'm trying to create a contact form whose contents are submitted to me via email. I've got the email part down, but I'm having trouble getting the form ("contact.php") to accept data. It automatically refreshes as soon as I type a character in any field. Here's the relevant code:
<div class="contactform">
<form name="contactform" method="post" action="contact-receiver.php">
<fieldset><legend><strong>Required Information</strong></legend>
First Name: <input type="text" name="firstName" size="35" maxlength="30"/>
Last Name: <input type="text" name="lastName" size="35" maxlength="30"/>
Email: <input type="text" name="emailAddress" size="60" maxlength="55"/>
</fieldset>
<input type="submit" value="Submit"/>
<input type="reset" value="Reset"/>
</form>
</div>
This works fine when tested independent from the rest of the site. However, here's the context:
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<link rel="stylesheet" type="text/css" href="styles.css" />
</head>
<body>
<?php include 'header.php'; ?>
<?php
$id = $_GET['id'];
switch($id)
{
case 'main':
include 'storeinfo.php';
break;
case 'shop':
include 'inventory.php';
break;
case 'cart':
include 'cart.php';
break;
case 'contact':
include 'contact.php';
break;
default:
include 'error.php';
}
?>
<?php include 'footer.php'; ?>
</body>
</html>
"contact.php" works fine when displayed as a separate page, but won't accept any input when accessed as an include file. If I try to enter data in any of the fields, the page immediately refreshes after I type the first character, and the data is lost.
If anyone could point me in the right direction, I would really appreciate it!
EDIT
Disabling Javascript didn't work. I cleared my cache and restarted my browser (Firefox) just to be sure. While I'm working on that voodoo priest, here's the page source for index.php?id=contact:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Main</title>
<link rel="stylesheet" type="text/css" href="styles.css" />
</head>
<body>
<div>
<p><img src='headerimg.png' class='header'/></p><a href='index.php?id=main'>
<img src='mainbutton.png' class='nav1'</a><a href='index.php?id=shop'>
<img src='shopbutton.png' class='nav2'</a><a href='index.php?id=cart'>
<img src='cartbutton.png' class='nav2'</a><a href='index.php?id=contact'>
<img src='contactbutton.png' class='nav2'</a>
</div>
<div class="contactform">
<form name="contactform" method="post" action="contact-receiver.php">
<fieldset><legend><strong>Required Information</strong></legend>
First Name: <input type="text" name="firstName" size="35" maxlength="30"/>
Last Name: <input type="text" name="lastName" size="35" maxlength="30"/>
Email: <input type="text" name="emailAddress" size="60" maxlength="55"/>
</fieldset>
<input type="submit" value="Submit"/>
<input type="reset" value="Reset"/>
</form>
</div>
<div id = "footer">
<p>©2012</p>
</div>
</body>
</html>
It sounds like a Javascript-related problem.
Check and make sure you're not including any scripts which try to autocomplete, as being misconfigured might cause it to send a request upon key up which would cause the behavior you're mentioning.
An easy way to test this is to disable JavaScript in your browser and see if the issue continues. If it does, it means you have ghosts in your computer and should see a voodoo priest. If the issue doesn't persist, it means it's an issue with some JavaScript on your site.
Posting some contents of header.php will help, as well. OR, you could simply post the complete HTML page source once - that is, visit your index.php?id=contact page, hit view source, and show that here.